District contracts

Data Processing Agreement

Last updated May 17, 2026

Every district that licenses SafeGuideEd signs a Data Processing Agreement (DPA) that governs the handling of educator and student data. This page summarizes what the DPA covers and how to obtain it. If your district already uses a standard DPA template — for example the Texas Student Privacy Alliance (TXSPA) DPA, the SDPC National DPA, or your own — we co-sign it. If you do not have a template, we provide one.

1. What the DPA covers

The DPA defines: (a) the categories of data the district shares with SafeGuideEd — educator account data, lesson and instructional content, and roster data; (b) the purposes for which SafeGuideEd may process that data — operating the Service, no other use; (c) security and audit obligations — encryption at rest, row-level security, append-only audit logs, breach notice timelines; (d) sub-processors and the change process; (e) deletion and return obligations on termination; (f) confidentiality and compliance with FERPA, the Texas Student Privacy Act (Tex. Educ. Code § 32.151 et seq.), and applicable state and federal laws.

2. Texas-specific commitments

  • Student data hosted in the Supabase us-tx primary region — Texas residency on request.
  • No use of student personal information for advertising, marketing, or AI model training.
  • Append-only audit logs at the database level for every compliance event, satisfying HB 1605 evidence requirements.
  • Breach notice to the district within 72 hours of confirmed exposure of student data, with full incident report within 30 days.
  • District-controlled deletion: data is returned or deleted within 30 days of a written request, including from encrypted backups within the next rotation window.

3. Sub-processors

The DPA lists every downstream sub-processor and the data category each handles: Anthropic, xAI, Google, Ideogram, and OpenAI (generative AI, under no-training contracts via the Portkey gateway); Portkey (AI routing and cost ledger); Supabase (database and storage); Cloudflare (CDN, DDoS protection, Stream video); Fly.io (application hosting); Sentry (error tracking, identifiers redacted); PostHog (cookieless product analytics). See /sub-processors for the canonical list. We give districts 30 days notice before adding a new sub-processor that handles student data.

4. Acceptable templates

We co-sign any of the following without modification, subject to a short addendum that names sub-processors and breach contacts:

  • The TXSPA DPA (Texas Student Privacy Alliance, current revision).
  • The SDPC National DPA (Student Data Privacy Consortium).
  • Region-specific DPAs from Region 4, Region 10, Region 13, Region 16, or Region 18.
  • Your district's own DPA template, on review.

5. How to request the DPA

District counsel, procurement, or the data privacy officer can request the SafeGuideEd DPA at districts@safeguided.com. Include the district name, the DPA template you use (or note that you need ours), and a contact for redlines. Average turnaround is one business day; standard executed DPAs typically close within a week.

6. Related documents

Related contracts and disclosures: Privacy Notice · Terms of Service · FERPA Notice · Sub-processors · Trust Center.